New Crisis/MORCUT Malware Mounts in Virtual Machines

We were alerted to reports of a Crisis/MORCUT malware that supposedly spreads on VMware virtual machines. Our previous post about Crisis/MORCUT cites that it is a backdoor found to specifically target Mac OSX systems. This time around, the Crisis/MORCUT we have on our hands runs in Windows, and interestingly, mounts virtual disks. It does this by checking VMware configuration files for the locations of any installed virtual machines on the host system.

Currently, the arrival mechanism for this variant is still to be fully determined. However, it appears to have have started from the downloading of a malicious Java applet (detected as JAVA_AGENT.NTW). The Java applet is packaged with two files: mac – the backdoor OSX_MORCUT.A, and win – a worm detected as WORM_MORCUT.A. The win file is executed in a Windows operating system. This file then drops the following component files:

IZsROY7X.-MP – (32-bit DLL) currectly detected as WORM_MORCUT.A

t2HBeaM5.OUk – (64-bit DLL) currently detected as WORM_MORCUT.A

eiYNz1gd.Cfp

WeP1xpBU.wA – (32-bit device driver) detected as TROJ_MORCUT.A

6EaqyFfo.zIK – (64-bit device driver) detected TROJ_MORCUT.A

lUnsA3Ci.Bz7 – (32-bit DLL) a non-malicious file

Based on our initial analysis, WORM_MORCUT.A has the ability to spread through USB devices and VMware virtual disks. It uses the device driver component TROJ_MORCUT.A to mount on virtual disks. While these capabilities may suggest it should be spreading aggressively, we are not seeing a lot of infections for both WORM_MORCUT.A and TROJ_MORCUT.A as of this writing.

Analyses on both WORM_MORCUT.A and TROJ_MORCUT.A are underway. Watch this space for updates on those. In the meantime, OfficeScan users should update to the latest patterns. All patterns are available in our Download Center.

Update as of August 24, 2012, 10:50 AM PST

The Java file that downloads WORM_MORCUT.A is now detected as JAVA_MORCUT.A. The files dropped by WORM_MORCUT.A are now known as RTKT_MORCUT.A . Both are cleaned by the latest pattern files.